Analysis
-
max time kernel
1562s -
max time network
1573s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-04-2024 18:50
General
-
Target
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe
-
Size
2.1MB
-
MD5
e4bf35b81bfaa0e789ad9461dbacb542
-
SHA1
dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
-
SHA256
04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
-
SHA512
6635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
-
SSDEEP
49152:Iw80cTsjkWanAlfiebWlHcA+G6HYaqK3hUQrObmyPYjR+:Z8sjkrgWezG6lh73jR+
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\README-ISHTAR.txt
https://bitmsg.me/
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Desktop\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.docx"2⤵
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exeC:\Users\Admin\AppData\Roaming\pHE3Pm.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe"C:\Users\Admin\AppData\Roaming\pHE3Pm.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Roaming\pHE3Pm.tmp"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
-
-
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~p9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~m9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~p9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Roaming\pHE3Pm.exe/scomma C:\Users\Admin\AppData\Roaming\~m9916D88BD6DE.tmp4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c whoami /all4⤵
-
C:\Windows\SysWOW64\whoami.exewhoami /all5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 1 localhost > nul & del /f /q "C:\Users\Admin\AppData\Local\Temp\04035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 1 localhost3⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cbf468d5e3d2d6fe3023d6dc32c9e5fb
SHA1b965fe1580e236f34ced39cf7c36edfe96990c81
SHA256d721c952dcb8cd2f2fdf81a4d59d88d94345fc0986dfc6fd03d9d6b4a523e34d
SHA512b4eba261ea6a6e13d8d0a52f3448c6c8096b994ea80768cdb9da78d570032d0630eb39ddd58265f8d7d2bd40c0bb4ea8ce04362fd0fc60977607f2ca3174236e
-
Filesize
1KB
MD57c7f0401533ac0f3bda9395cdc31a297
SHA1caee409e0a1faa857de3e18fefa19c144ccb0f5c
SHA25679edc980fd54cc6a232caed93852d18b98e8ae41e0858dfb32cc39c42ce3c6c6
SHA5127c47a66af2176f0ffde73b0a643d01cf6c4b41f5acf98117e8963cad02d89cfbea6b95d88fa05f8469671bf20a1736fff3b76fa44fc2a210d928e92266444abf
-
Filesize
1KB
MD5d0b60b9da3f226f60e9ff83521494239
SHA1fd5080ed66bb3e17849d553ce97c25571f4d16d3
SHA25625a6ca4bcaec2618aa5e0d997a2ec767abdf337ddb81a6a2cd3553724902f695
SHA512d6c61cea2ad38a8f425fab766cdff9e58a9f642dda6f340836cfaa509f859b7b4ffd75e5d583a8c8154d05f0c7bfb7b0c0dc4181eaefcc1d2c6879037cf2838c
-
Filesize
1.2MB
MD5369ab221049cd9560602b9e5aebf2dda
SHA1029ec59baaee07a6317b42c446f02d7192766812
SHA256d8c61b75dcffc31bb0016d4164f7e21d767b70f53e775da8fb964928782e13da
SHA51214aa5aef2c682e3220c59f9ee143befe5b5d9f50d4a71028d4161098ff33a6f75348622ab837c556843feaad2300ec51d5affa92dea364fd8d751c426bd717c3
-
Filesize
112B
MD536427ecb2a0faf13af3047c51b29f9c5
SHA19a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f
SHA256ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345
SHA5124e1ff95c087545b9fe56bbc008516d1e0bbecd9cae246d7baecd7773404e24678ec22b515ec6e6f715081fd079e6d400aa4060abaf9346cdc609873be76833f0
-
Filesize
276B
MD5b357929e7562d4866aa5958c9575895c
SHA1ee700b2b7664cb45619472df2f41e6b114ca1aef
SHA2569c0249341882665020d594e260fcd4fbdeb2cecae4f76609bbc58167908c392f
SHA51288481327fee6c707ec0e145021f3c7710a053fa8c1da47e7897f7c9f9526c5f70fc1d5e1dc1a2beaf22b212063cf37a02ddcc1d16743d032b899b0aadc6945f0
-
Filesize
2.1MB
MD5e4bf35b81bfaa0e789ad9461dbacb542
SHA1dcf7b855b2c3516a6b88a410ef5b44a2c650f62d
SHA25604035f6fdd921309391aef9c88e550d8b3d31c7a4ea80267cb436f491aedd1f9
SHA5126635342515a01acde48792cb362dc9e5bd7ffc4fe6a9b8b2fdb0d6c8758d79db847daf28e2fe700a898425214d95d2707337c900c695a47cfd9dada946adf64d
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB